')\n )\n)}\n```\n\nDOMPurify is applied to the raw Markdown input **before** `marked.parse()` processes it. This is the wrong order. DOMPurify sanitizes the Markdown text (which contains no HTML tags), then `marked.parse()` converts Markdown link syntax into HTML `` tags with `javascript:` href, and the result is rendered with `{@html}` unsanitized.\n\nThe correct pattern (used elsewhere in the codebase, e.g., `NotebookView.svelte:77`) is:\n```javascript\nDOMPurify.sanitize(marked.parse(src)) // sanitize AFTER markdown parsing\n```\n\n## Steps to Reproduce\n\n### Prerequisites\n- Open WebUI v0.8.10\n- Admin account\n- A second user account with \"pending\" role\n\n### Steps\n\n1. Log in as admin and navigate to **Admin Settings** → **Settings** → **General**.\n\n2. Set **Default User Role** to `pending`.\n\n3. In the **Pending User Overlay Content** field, enter:\n```\n# Account Pending\n\nYour account is under review.\n\n[Contact Support](javascript:alert(document.domain))\n```\n\n4. Save the settings.\n\n5. In a separate browser (or incognito window), create a new account or log in as a pending user.\n\n6. The pending overlay is displayed. Click the \"Contact Support\" link.\n\n7. A JavaScript alert dialog appears showing `localhost` (the document domain), confirming XSS execution.\n\n### Verified Output\n\nThe `alert(document.domain)` executes successfully, displaying \"localhost\" in a JavaScript dialog box.\n\n## Impact\n\nAn admin can inject arbitrary JavaScript into the Pending User Overlay Content that executes in the browser context of any pending user who views the overlay page. This could be used to:\n\n- **Session hijacking**: Steal pending users' JWT tokens from cookies/localStorage\n- **Credential theft**: Replace the pending overlay with a fake login form\n- **Phishing**: Redirect pending users to malicious sites\n\nWhile this requires admin privileges to set the overlay content, it enables an admin to attack pending users (who have not yet been granted full access). In multi-admin deployments, a compromised admin account could use this to escalate attacks.\n\n## Proposed Fix\n\nApply DOMPurify **after** `marked.parse()`, not before:\n\n```svelte\n\n{@html marked.parse(\n DOMPurify.sanitize(\n ($config?.ui?.pending_user_overlay_content ?? '').replace(/\\n/g, '
')\n )\n)}\n\n\n{@html DOMPurify.sanitize(\n marked.parse(\n ($config?.ui?.pending_user_overlay_content ?? '').replace(/\\n/g, '
'),\n { async: false }\n )\n)}\n```\n
') → marked.parse() → {@html ...}`\n\nThe model description is stored in the database without prior sanitization. Then uses this sanitization function before applying the results to the description.\n\n`index.ts:82-92`\n```ts\nexport const sanitizeResponseContent = (content: string) => {\n return content\n .replace(/<\\|[a-z]*$/, '') // strip incomplete <|tokens\n .replace(/<\\|[a-z]+\\|$/, '') // strip incomplete <|token| \n .replace(/<$/, '') // strip trailing <\n .replaceAll('<', '<') // escape < to <\n .replaceAll('>', '>') // escape > to >\n .replaceAll(/<\\|[a-z]+\\|>/g, ' ') // strip <|token|> patterns\n .trim();\n};\n```\nThis function was designed to sanitize HTML tags, but does not take into consideration that XSS can be triggered via `javascript:` which is the fundamental issue.\n\n`.replaceAll('\\n', '
')` will replace newlines with `
` tags, and since payload can be written without newlines, its unaffected.\n\n`marked` sees `[text](url)` and generated an anchor tag and does not block the payload of `javascript:`.\n\nSvelte's `{@html}` directive inserts raw HTML into the DOM without escaping, creating the vulnerability.\n\nAffected files:\n`src/lib/components/chat/Placeholder.svelte` (lines 177–181)\n`src/lib/components/chat/ChatPlaceholder.svelte` (lines 99–103)\n\n\n### PoC\n\nBelow is a simple PoC that will create a model with a description to trigger an alert when pressing on the hyperlink. Replace the values inside such as HOST and TOKEN with your own values using your own test server.\n\nStep 1 - Create a model with a malicious description. The token used must be from an account with either the following.\nA. Admin privileges\nB. An account with model creation permission\n\n```bash\ncurl -X POST 'http://
')\n)}\n```\n\ninto\n\n```ts\n{@html DOMPurify.sanitize(\n marked.parse(\n sanitizeResponseContent(description).replaceAll('\\n', '
')\n )\n)}\n```\nThis matches the pattern already used in other parts of the application such as but not limiting to `ConfirmDialog.svelte:130` and `NotebookView.svelte:77`. DOMPurify will handle the stripping of `javascript:` URIs, event handlers and other dangerous HTML by default.\n\n### AI Disclosure\n\nClaude was used to assist in:\n\nSystematic codebase searching to identify unsanitized `{@html}` rendering paths\nVerifying `marked@9.1.6` behavior with `javascript:` URIs\n\n## Credits\n\nLin, WeiChi from Sompo Holdings, Inc.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44721","reference_id":"","reference_type":"","scores":[{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10999","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11108","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11101","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.11066","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00036","scoring_system":"epss","scoring_elements":"0.10984","published_at":"2026-06-08T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44721"},{"reference_url":"https://github.com/open-webui/open-webui","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/open-webui/open-webui"},{"reference_url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-gf5m-wcrh-7928","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-19T12:37:29Z/"}],"url":"https://github.com/open-webui/open-webui/security/advisories/GHSA-gf5m-wcrh-7928"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44721","reference_id":"","reference_type":"","scores":[{"value":"7.3","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44721"},{"reference_url":"https://github.com/advisories/GHSA-gf5m-wcrh-7928","reference_id":"GHSA-gf5m-wcrh-7928","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gf5m-wcrh-7928"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/114514?format=json","purl":"pkg:pypi/open-webui@0.9.0","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/open-webui@0.9.0"}],"aliases":["CVE-2026-44721","GHSA-gf5m-wcrh-7928"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-sehc-4tw6-nyfx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90805?format=json","vulnerability_id":"VCID-srwq-9xut-a3g5","summary":"Open WebUI's process_files_batch() endpoint missing ownership check, allows unauthorized file overwrite\n### Summary\n\nAny authenticated user can overwrite any file's content by ID through the `POST /api/v1/retrieval/process/files/batch` endpoint. The endpoint performs no ownership check, so a regular user with read access to a shared knowledge base can obtain file UUIDs via `GET /api/v1/knowledge/{id}/files` and then overwrite those files, escalating from read to write. The overwritten content is served to the LLM via RAG, meaning the attacker controls what the model tells other users.\n\n### Details\n\nThe `process_files_batch()` function in `backend/open_webui/routers/retrieval.py` appears to be designed as an internal helper. The knowledge base router (`add_files_to_knowledge_batch()` in `knowledge.py`) imports and calls it directly after performing its own ownership and access control checks. The frontend never calls the retrieval route directly; all legitimate UI flows go through the knowledge base wrapper.\n\nHowever, the function is also exposed as a standalone HTTP endpoint via `@router.post(...)`. This direct route only requires `get_verified_user` (any authenticated user) and performs no ownership check of its own:\n\n```python\nfor file in form_data.files:\n text_content = file.data.get(\"content\", \"\") # attacker-controlled\n\n file_updates.append(FileUpdateForm(\n hash=calculate_sha256_string(text_content),\n data={\"content\": text_content}, # written to DB\n ))\n\nfor file_update, file_result in zip(file_updates, file_results):\n Files.update_file_by_id(id=file_result.file_id, form_data=file_update)\n # ^^^ no ownership check\n```\n\nThere is no verification that `file.user_id == user.id` before the write. Any authenticated user who knows a file UUID can overwrite that file.\n\n**How an attacker obtains file UUIDs:**\n\nSame as with read access, any user who can see a knowledge base can retrieve file IDs for every document in it via `GET /api/v1/knowledge/{id}/files`. In deployments where knowledge bases are shared across teams, this gives any regular user a list of valid targets.\n\n**Suggested fix:** Add an ownership check before writing:\n\n```python\nfor file in form_data.files:\n db_file = Files.get_file_by_id(file.id)\n if not db_file or (db_file.user_id != user.id and user.role != \"admin\"):\n file_errors.append(BatchProcessFilesResult(\n file_id=file.id, status=\"failed\",\n error=\"Permission denied: not file owner\",\n ))\n continue\n```\n\n**Classification:**\n- CWE-639: Authorization Bypass Through User-Controlled Key\n- OWASP API1:2023: Broken Object Level Authorization\n\nTested on Open WebUI **0.8.3** using a default Docker configuration.\n\n### PoC\n\n**Prerequisites:**\n- Default Open WebUI installation (Docker: `ghcr.io/open-webui/open-webui:main`)\n- An admin or user creates a knowledge base with shared read access and uploads a file\n- A regular user account exists (the attacker)\n\n**Obtaining the file UUID (attacker):**\n\n```\nGET /api/v1/knowledge/{kb_id}/files\n```\n\nThis returns metadata for all files in the KB, including their UUIDs.\n\n**Exploit (attacker):**\n\n```bash\npython3 poc_exploit.py --url http://